LockBit Rises: New Cross-Platform 5.0 Ransomware Eclipses Former Self
After a brief period of dormancy, the operator of the LockBit ransomware has returned to full-scale activity, unveiling a new and more sophisticated version of its malware. In the spring of 2024, the group’s infrastructure was dismantled during the international Operation Cronos, yet by autumn it became clear that LockBit had reemerged with renewed force. This resurgence coincided with the debut of LockBit 5.0, internally codenamed “ChuongDong”, which significantly broadened the platform’s capabilities.
Since September 2025, researchers at Check Point Research have documented a wave of attacks targeting organizations across Western Europe, North and South America, and Asia. Roughly half of the incidents involved the latest LockBit 5.0 build, while the remainder used older variants such as LockBit Black. Approximately 80% of all infections affected Windows systems, with the rest striking Linux servers and ESXi hypervisors, underscoring the cross-platform nature of the updated toolkit.
The renewed campaigns were accompanied by a restructuring of the affiliate program. The administrator, operating under the alias LockBitSupp, rebuilt the network of partners, granting access to the control panel and encryption tools for a $500 cryptocurrency deposit. Analysts note that this model effectively revived the ransomware-as-a-service ecosystem, restoring the group’s dominance in the cybercriminal underground.
LockBit 5.0 demonstrates notable technical advancement. Its encryption algorithms have been refined to work faster and more efficiently, drastically reducing the window of time available for incident response. Each attack now employs unique 16-character random file extensions, hindering detection by traditional security tools. New anti-debugging and anti–reverse-engineering mechanisms further complicate forensic analysis, making it significantly harder for researchers to dissect the malware’s internal logic.
The extortion mechanism has also evolved. Victims now receive ransom notes explicitly referencing LockBit 5.0, accompanied by personalized negotiation links. Strict deadlines are enforced: if contact is not established within 30 days, the stolen data will be publicly released. This fusion of technical sophistication and psychological pressure once again underscores the resilience and discipline of well-organized cybercriminal syndicates.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
